How do you all handle security and monitoring for your publicly accessible services?
-
This is effectively the same damn thing with a single exception. If your VPN is down, there's no access to your server. If for whatever reason your firewall is down, there's unrestricted access to your server...
VPN is unquestionably the correct choice 100 times out of 100.
-
There is. It's called VPN Split Tunneling.
If you want to proxify your connection between you and a service, you enable the split. If you don't care, or want to not use the VPN, then disable it for that application. So it's effectively "proxify all connections to this app," which is the same as your use case.
-
If for whatever reason your firewall is down, there’s unrestricted access to your server…
I don't know what kind of firewall you use, but if my firewall is down there is NO traffic at all passing through!
And by the way, since I've replied to someone that don't want to use VPN because he doesn't want to give access to the whole network, I meant that he could use a VPN AND iptables to restrict the guest access to single services instead of the whole network.
-
Well...if you edit your post after someone has replied to it at least specify what's you've edited and don't pretend that the answer that somebody else has already given you wasn't about your non edited post!
If you (my mistake) wrote VPS instead of VPN, you can't pretend that I've answered about VPN!
If you can convince your family member and your friends to use a VPN to use your service, that's good for you, and I mean it!
But saying that it's quite impossible to do that, I think that I'm speaking for 99% of the self hoster (is this correct in English? Bah, you got me!) -
I don’t know what kind of firewall you use, but if my firewall is down there is NO traffic at all passing through!
Only a hardware firewall would do this. If it's software, like implied in your post, no traffic is filtered and all connections are accepted.
VPN is the least amount of work for the most secure setup. There's nothing to even argue, its superior in every way.
-
The entire point of selfhost is to host private services not available to the public. By literal definition, that's allowing only local traffic to connect to your services. It's infinitely more secure. A VPN allows you to extend those services over the clearnet to authorized devices via virtualized networks. You don't have to worry about messing with inbound/outbound ports, or worrying about software failure or misconfigurations accidentally exposing you to the clearnet. You don't have to worry about DDoS, or abuse. Being attacked? Bring down your VPN and that completely shuts down your issue. Your network is completely unreachable by anyone but a local host.
There's simply no room for an argument. VPN is objectively better in all possible situations.
-
Only a hardware firewall would do this. If it’s software, like implied in your post, no traffic is filtered and all connections are accepted.
Talking abut netfilter, since it manages also the forwardning, it for some strange reason it should crash, NO IP traffic is flowing
VPN is the least amount of work for the most secure setup. There’s nothing to even argue, its superior in every way.
If there's nothing to even argue, then I say goodby to you since I'm here to discuss.
All the best! -
The entire point of selfhost is to host private services not available to the public
Probably your entire point, a lot of self hosters self host services that family members and friends can reach most of the time without the need of a VPN. This very community is full of examples.It’s infinitely more secure
I'm with you about that.
There’s simply no room for an argument.
As stated in the other post, I'm sorry about that, I'm here to discuss and learn, if you don't have room for an argument, our discussion ends here.
VPN is objectively better in all possible situations.
Exactly! in all possible situation!!!
-
I set the VPN tunnel from the VPS to deny everything to the internal network by default, then put the services that need to be accessed on the allow list in the firewall. So the VPN endpoint from the VPS can only hit the very specific IPs/ports/protocols that were explicitly allowed. There is still the possibility of a compromise chain of VPS->service->container/VM->hypervisor->internal network access, but I feel comfortable with those layers.
You could also setup an IDS such as Snort to pick up on that exploit traffic between the services and internal VPN endpoint if extra security is necessary on top of fail2ban and log alerts on the VPS.
-
I didn't know that was the entire point of self hosting. Some people want to self host things for the public, like a website or game server.
There is a program called "yunohost" to simplify this process.
Maybe a VPS is better for website hosting but some people want to self host.